May 15, 2017

wannacry

I run an out of date version of Windows on some of my laptops, with Windows update shut down. I used to work in the security and anti-virus industries, on advanced threat detection and remediation. I should be the last person on Earth to say, “You don’t need to patch a properly run Windows system newer than XP — ever.” But so far, I can make that statement and stick to it, even with wannacry.

So, how do I stay ahead of ransomware?

Shut down most inbound ports via the firewall, uninstall most dangerous services. Wannacry uses ports 445, 137, 138, and 139. I long ago stopped the Windows SMB server on my machines, as that’s always been a security hole. I also long ago uninstalled the SMB service on my home PCs. It’s great in an AD environment, but who uses AD at home?

30 day offsite cloud backups from backblaze. Wonderful service!

This is insurance. If a ransomware attack did make it through, say via an unpatched 0-day, I can get my stuff back from my offsite backups.

Encrypted personal files.

I believe that all systems are inherently, “public”. So, I use full disk encryption and password vaults with strong passwords.

I think the LinkedIn hack is a great example — I viewed linkedin as a “low priority” password, and had a variant of that password with some mods against my bitbucket. LinkedIn leaked a password in the big data breach they had, and hackers got into my BitBucket from a dictionary attack using that password. Luckily, I didn’t have anything of value on BB, but I now use a unique password on every site, and I use 2 factor auth whenever possible.

Git + Dropbox. Any file I deem of value is also in a git repo somewhere. I have 2 of them. It’s really easy to make a dropbox folder, then add that entire folder to a git repo. A virus will encrypt your dropbox — oh well. Just delete the directory and “git pull”.

No linked MSA — even on Windows 10. This is a bit harder, but I worry–if someone hacks my Microsoft account — say via a shared password on LinkedIn — they can lock me out of my PCs just by changing the MSA password. Thus, I don’t use an MSA-login on some of my Windows PCs. This has the benefit of also killing a lot of MS spyware ( like Cortana ).

No IE/Edge. I use a security-focused browser.

Ad blocker. The one virus infection I had 10 years ago was from an ad served by a reputable website that exploited an Adobe Acrobat 0-day on my machine while I was in another room. That forced me to analyze the virus and see what it did.

Registry dumps. Again, insurance for when I do eventually get hacked. With a registry dump, I can format the machine and import the .reg file. This means a lot of my software installs remain “working” just by restoring backups.

I know it’s only a matter of time before I’m hacked. Some 0-day exists out there that I’m vulnerable to. And, I choose to run Windows instead of Linux ( and let me tell you — as a data scientist, that’s such a pain. TensorFlow, Python, etc are just such a pain to get working. ) — so it’s really a matter of time before either I’m hacked, Microsoft is Hacked, or one of my web services is hacked. But so far, knock on wood, the mix of firewall settings, service shutdowns, encryption, backups, and web services, allows me to run “unpatched” on some of my systems (even on public networks )and remain uninfected.

By the way — this bothers me. I have to take so many steps to keep ahead of bad guys, and I know I’ll lose one day. It’s really just a matter of time. I wish MS would do a few things:

Unlink Microsoft Accounts(MSAs). MS does a good job securing their network. But linked MSAs are a recipe waiting for an exploit. The bad guys don’t hack the PC — but hack the MSA system, and they’ve hacked, perhaps silently, all PCs using MSA login.

Join/Unjoin Windows Update. Allow old PCs that have turned off patching to rejoin whenever. Technically, MS does this — but does it really badly. If you fall behind enough, you can’t ever catch up, as WU will just stop working.

Their answer is to force updates in Windows 10. But this just pisses off users who don’t want to lose their computer for a day every 6 months or so as new, mostly non-security, patches are installed and existing preferences lost. Who needs Cortana? Why reset to Edge every six months? The current approach is too heavy-handed and self-serving.

These 4 steps would greatly improve security for Windows. Three of them are relatively easy, and MS could do them in a few months. Some are hard, but can be done with acquisitions and smart policy. I don’t know how many “blaster” or “wannacry” outbreaks are needed before MS does the right things to make security better for users without being self-serving.